Intel Claims Security Flaw Also Impacts Non-Intel Chips, Exploits Can't Corrupt, Modify or Delete Data [Updated]

[69650]

I bet the NSA have known about and used this exploit for some time.

 

[BaltimoreMediaBlog]

I can't resist by saying this means Hillary Clinton is totally off the hook now.

I mean, why wouldn't she and her staff have taken hammers to their corrupt Intel PC laptops for the safety of national security?

 

[Wags]

These stock sales need to be approved months in advance just for this purpose. It's schedule SO THAT they don't have the SEC breathing down their neck. But, the question really is, how long ago was this approved and schedule, and how long ago did Intel know about the issue? As mentioned by another, since Apple has already patched, it was known prior to it's public release.

If Apple already patched then should we have seen signs of any performance hits?

 

[cmaier]

If Apple already patched then should we have seen signs of any performance hits?

The patch they did is not the final patch, according to sources. It makes it harder to implement an attack, but not yet impossible.

 

[curmudgeonette]

Not exactly. It can infer the contents of the memory location based on how long it takes to read information (thus detecting whether given bits are in the cache or are not, and knowing that if it is in the cache that means it corresponds to the hypothesized value). It's a side channel attack.

Meltdown is a side channel attack - but it using a hardware bug.

Some history: The original 6502 had various bugs. From Wikipedia:

The NMOS 6502's indexed addressing across page boundaries will do an extra read of an invalid address. This characteristic may cause random issues by accessing hardware that acts on a read, such as clearing timer or IRQ flags, sending an I/O handshake, etc. This defect continued through the entire NMOS line, but was corrected in the CMOS derivatives, in which the processor does an extra read of the last instruction byte.
The 6502's read-modify-write instructions perform one read and two write cycles. First the unmodified data that was read is written back, and then the modified data is written. This characteristic may cause issues by twice accessing hardware that acts on a write. This anomaly continued through the entire NMOS line, but was fixed in the CMOS derivatives, in which the processor will do two reads and one write cycle. Good programming practice will generally avoid this problem by not executing read/modify/write instructions on hardware registers.

The Meltdown related bug is in the same class as these ancient 6502 bugs. The executing software doesn't see any error, but the hardware is running a dangerous extra bus cycle.

...

Expanding on what I wrote in a previously: It is now possible to create malware that takes over a server, locking out the sysadmin. A thread executing on one core is using Meltdown to snoop kernel data. Meanwhile, one or more threads are executing on other cores and hammering the receive register of a legacy serial port interface. The sysadmin may see that something is wrong, but when they try to connect via a hardwired console, they can't! Every character they type is being eaten up by the malware.

 

[HairForceOne]

Sounds like this may lead to an SEC investigation for insider trading. Given that Apple's 10.13.2 update reportedly patches many of these flaws. It is reasonable to conclude Intel has had some knowledge of this issue for a while.

Edit: The timing of the sale is bad. It doesn't necessarily mean intent was involved.

Actually, the rules regarding insider trading still apply even if you intended to make a transaction before gaining the insider knowledge. Once you become aware of the impactful knowledge, you are forbidden from making transactions until after the information is publicly disseminated.

TLDR - it was insider trading.

 

[skinned66]

So if I was in the market for a personal computer, why would I buy an Intel chip before a re-design? I wonder what this is going to do to price of current stock, that is, how far the discounts will go. A possible 30% decrease in performance is nothing to sneeze at, especially at i7 prices.

 

[BarracksSi]

Was this a genuine security flaw or something that was intentionally put in to provide back channel and only acknowledged now

It was more like a, "Wait -- so you can trick it into doing what now? Did anybody expect this?"

 

[cube]

I think what Microsoft is distributing is the full fix for variants 1 and 3 for Intel, and 1 for AMD (3 does not affect it).

 

[Wags]

So if I was in the market for a personal computer, why would I buy an Intel chip before a re-design? I wonder what this is going to do to price of current stock, that is, how far the discounts will go. A possible 30% decrease in performance is nothing to sneeze at, especially at i7 prices.

I am. Want to know what I am exactly buying.

 

[cfurlin]

For all those claiming there will be a massive class action suit, what grounds do you believe it'll be filed on?

I predict any such attempt will be a huge failure.

Any time people think they can add a few bucks to their bank account without working for it, they’ll jump right on it and convince themselves of its validity. Sometimes even exploiting a dead relative puts icing on that cake.

“Don’t bury grandma just yet. Let her rot in the bathroom. We may need to haul her in to court. I want a new car!”

 

[Cartaphilus]

Strange how many of these CEOs manage to "unfortunately" sell their stock right before some bad news comes out

Who else remembers the Equifax CTO and CEO selling millions of dollars worth of stock just before the news of the massive data breach came out at the end of last year?

These guys have access to inside information months before it becomes public. Easy to say it was a long-planned sale and nothing to do with the bad news

SEC Rule Section 240.10b5-1 gives corporate insiders a way of systematically selling shares they had purchased or been awarded as compensation without forcing them to analyze every development affecting their company to determine if they are in possession of material inside information. Any well-advised insider will immediately set up a 10b5-1 program of systematic sales at set intervals, often with some minimum market price, or when the market price of the stock reaches a specified price or either limit of a range. The insider's broker will simply automatically sell the directed percentage or number of shares when the condition specified occurs. When the issuer of the stock is an established company the opportunity for an insider to exploit Rule 10b5-1 to dump shares in reaction to inside knowledge of material adverse information is remote.

The Equifax case is an excellent example of why 10b5-1 exists. In that case a special committee appointed by the Board reported that it had conducted a thorough investigation and concluded that the two executives had no knowledge of the security breach when they asked to clear their sales. Of course, there remains doubt since it is always difficult to prove a negative. There certainly were employees of Equifax who, during the critical time period, were aware that there was a security breach (although the magnitude of it may have been unknown), so there was at least a possibility that the information reached the ears of the two executives. Had those two Equifax executives wished to monetize their stock holdings, they could have avoided any suspicion by having issued irrevocable instructions to their broker long in advance.

The Intel execs appear to have followed better advice and at this point there are no facts in the public domain that support any conclusion other than that they appropriately availed themselves of a rule that was designed precisely to protect them from unfounded suspicion.

 

[Frozonecold]

Wondered why my AMD stock started shooting up yesterday. Explains a lot.

I would sell it now at a profit... once the media picks up that Spectre affects their chips I think that might change.

 

[LCPepper]

No they didnt "copy" Intel entered into a cross-licensing agreement with AMD, licensing to AMD their patents on existing x86 techniques, and licensing from AMD their patents on techniques used in x86-64.

That’s what I meant by ‘copied’ in inverted commas haha!

 

[cube]

I would sell it now at a profit... once the media picks up that Spectre affects their chips I think that might change.

AMD said there's near zero risk at this time, and from the metaphor I've seen describing this exploit, it indeed seems very difficult to take advantage of.

 

[cmaier]

AMD said there's near zero risk at this time, and from the metaphor I've seen describing this exploit, it indeed seems very difficult to take advantage of.

Sure, but mere difficulty is not impossibility, and given the immense benefits that would accrue to anyone who successfully implements an attack, you should assume that someone will.

 

[cube]

Sure, but mere difficulty is not impossibility, and given the immense benefits that would accrue to anyone who successfully implements an attack, you should assume that someone will.

I am not so sure about that given the description in this case.

 

[mi7chy]

Here's proof Intel is spreading FUD after January security update on AMD.

Before update:

PS C:\WINDOWS\system32> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is enabled: False

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False


BTIHardwarePresent : False
BTIWindowsSupportPresent : False
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : False
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : False
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False


After update:

PS C:\WINDOWS\system32> Get-SpeculationControlSettings
Speculation control settings for CVE-2017-5715 [branch target injection]

Hardware support for branch target injection mitigation is present: False
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: False
Windows OS support for branch target injection mitigation is disabled by system policy: False
Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True

Speculation control settings for CVE-2017-5754 [rogue data cache load]

Hardware requires kernel VA shadowing: False


BTIHardwarePresent : False
BTIWindowsSupportPresent : True
BTIWindowsSupportEnabled : False
BTIDisabledBySystemPolicy : False
BTIDisabledByNoHardwareSupport : True
KVAShadowRequired : False
KVAShadowWindowsSupportPresent : True
KVAShadowWindowsSupportEnabled : False
KVAShadowPcidEnabled : False

 

[leman]

To me, it is quite clearly a bug! The CPU will read a location it is not allowed to read. The Meltdown demonstration reads memory.

It doesn't actually read the memory. It guesses the memory's content based on some timings. This is certainly a security flaw, but again, I would't call it a bug. The processor itself is operating just as the documentation says, without any mistakes. Now, if a certain combination of opcodes or a certain sequence of memory accesses would render CPU's memory protection mechanism inoperative, then that would indeed be a bug.

This is again similar to a lock where different pins would make slightly different sounds, and a frequency analysis of vibrations of a wall nearby could reveal the combination. The lock's primary mechanism would still not be bypassed by this method. Or, a soundproof room is not less soundproof if you can guess what is being talked about inside from the subject lips or by analysing the video of the glas of water vibrating under sound waves (there was this quite scary TED demonstration).

The thing is, understanding of things evolves and so does the sophistication of the attack methods. This modern methods work on a meta-level, by using secondary information such as how long it takes to execute certain code, or how much power is being used while executing certain code, or where exactly this power is being allocated to etc. etc. When Intel were designing their CPU, something crazy like that probably didn't even cross their minds. And it seems that AMD is immune to at least some versions of the attack because their cache works in a different way.

Further, a non malicious but buggy program could affect the system when it crashes. It might do a random read of a location that affects something (like above.)

It couldn't since it doesn't actually read stuff. The speculative reads have no side-effects, except on the local CPU state (which is then guessed by the attacker).

 

[SoyCapitanSoyCapitan]

So should I buy a G4 Mac again or is Leopard too full of security bugs by ahem modern standards?

 

[cube]

So should I buy a G4 Mac again or is Leopard too full of security bugs by ahem modern standards?

I think I actually saw an iBook among Amazon's best sellers today.

EDIT: No, it was actually a Macbook. Really cheap!

 

[Frozonecold]

AMD said there's near zero risk at this time, and from the metaphor I've seen describing this exploit, it indeed seems very difficult to take advantage of.

It is most likely a difficult hack to pull off, but that doesn't change the fact that AMD chips are susceptible to Spectre... I read this from their own press release. https://www.amd.com/en/corporate/speculative-execution

AMD has done an excellent job at dodging the fire, but they are susceptible to one of the three attacks outlined... and it's a very concerning one. "Spectre is harder for hackers to take advantage of but is also harder to fix and would be a bigger problem in the long term, according to Gruss." https://www.theguardian.com/technol...fect-computers-intel-processors-security-flaw

 

[Neodym]

At least those running DOS 6 and Windows 3.1 on a 486 are safe.

Time to dust off that old Amigas ...

 

[jeremysteele]

I wish I had your optimism, but we're doing some language processing that chews through CPU cycles, writing massive amounts of data to queues in a high availability/replicated VM cluster, and storing the processed data in a database. In the last 24 hours, our business model has literally become "Lets gets screwed by Intel".

Sounds similar to my line of work. Processing billions of documents and tossing it all into various DBs. It'll definitely be interesting to see how this all plays out. I predict there will be a large increase in alcohol consumption.

Good luck keeping everything going!

 

[Analog Kid]

The hybrid design makes no difference.

Any chance you could flesh this answer out a bit?

All I know I learned from Wikipedia, but it looks like the hybrid Mach/BSD kernel was designed to balance modularity with the cost of switching rings. With what little I can see, it looks like the Mach processes already take a bit of a performance hit to improve isolation meaning there might not be as much of an additional hit to flush the TLB.